if i had such rekeying issues one or more of the following was may be not in the right shape: Key times to live, different TTL on both sides for the resp. Component (DH,AH ... ) Key lenghts/Algorithms (rare) Timing issues due to Packet-Flow (very often, due to policy based routing in the net) Check with mtr for different routes for out and in packets, if they have different routes, the tunnels will struggle.
= = = http://michael-schuh.net/ = = = Projektmanagement - IT-Consulting - Professional Services IT Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 @: m i c h a e l . s c h u h @ g m a i l . c o m = = = Ust-ID: DE251072318 = = = 2015-02-24 15:38 GMT+01:00 Bob Gustafson <bob...@rcn.com>: > Excellent clue! > > On 02/24/2015 08:15 AM, Brian Candler wrote: > > However based on Nagios logs, after the tunnel has been up for pretty much > exactly one hour, it drops out again. This would coincide with the P2 SA > expiring and being re-negotiated. > > It would be **really** helpful if the debug message "generating > QUICK_MODE request" included the P2 parameters being requested, in the same > way the CHILD_SA message does ("TS 10.19.0.0/16|/0 > <http://10.19.0.0/16%7C/0> === 10.26.0.0/16|/0 <http://10.26.0.0/16%7C/0>"), > as according to the Cisco, it's asking for the wrong ones. > > Regards, > > Brian. > > > > _______________________________________________ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold >
_______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold